Wednesday, December 4, 2013

Forget debit cards, use cash: PIN mandate is not as safe as you think

If debit cards with magnetic strips are easy to clone, new credit cards with chips are more difficult to copy – PIN clearly can always be accessed. So they are not necessarily safer. Reuters debit cards with magnetic strips are easy to clone, new credit cards with chips are more difficult to copy – PIN clearly can always be accessed. So they are not necessarily safer.ReutersFP by Bindisha Sarang Dec 4, 2013

British scientist and writer CP Snow once said, “Technology ….is a queer thing. It brings you great gifts with one hand, and it stabs you in the back with the other.” And likewise, what was once intended to be a great boon for debit cardholders has now turned out to be a half-curse.

The Reserve Bank of India has mandated that debit card retail transactions will henceforth be authorised only if the cardholder enters the right PIN – the same PIN you use at ATMs. From 1 December, if you want to use your debit card at retail outlets (Big Bazaar, Shoppers’ Stop etc), apart from signature verification, you will also have to punch-in your ATM PIN into the card-reading machine, a.k.a. EDC machine, for the financial transaction to go through. And though this move has been put in place to make the transactions safe, there is a good possibility that it may actually increase the risk of fraud.

Shoulder surfing: Sample this; you are in a mall with two shopping carts full of groceries, and people looking over your shoulder impatiently. Finally you reach the cashier, who swipes the debit card and asks you to put in the PIN. You are surrounded by cashiers, mall help staff, fellow shoppers, in short a zillion pairs of eyes. Mayur Joshi, CEO, Indiaforensic.com, a company engaged in prevention, detection and investigation of frauds, says: “In crowed places like malls, and large grocery shops, it’s very easy to become a victim of shoulder surfing.” That is someone being able to actually see the four digit number you punch into the PIN pad. Come on, in an over crowded country like India, you can’t really expect people to look away when you punch the PIN into the machine, can you? And even if you do cover the PIN pad with one hand, there’s always a chance that someone (a fraudster who has placed himself/his camera in the right spot) might just see it from some corner. Who knows for sure if you have 100 percent privacy.

Can you trust the merchant: Okay, the above example was for a merchant outlet where there are a large numbers of shoppers around the cashier’s counter. But even in smaller shops can you really trust the merchant or his staff? Instances have been known where dishonest hotel staff have used skimmers to capture the magnetic information on the victim’s card – enabling them to clone fake cards. This data can then be used for online frauds. Now, by punching in your PIN as well, it’s possible for skimmers to even access your PIN – and cash from your bank could get accessed through the ATM by fraudsters.

Okay, that may be the case with a few dishonest merchant outlets or their staff, but how on earth can you ensure that the retailer is not actually storing your PIN?

Can the PIN be stored:

The next question to ask is can the PIN be stored (knowingly/ unknowingly) on the card reader machine by the retailer? According tothis report in the USA, instances have been known where many merchants have incorrectly stored PIN information they should be destroying after customers enter the secret code. While we agree this is a western world report, Indian fraudsters have always been inspired to copy those tricks in the domestic markets. What would stop our fraudsters? And even if your merchant would have stored the PIN inadvertently on his card machine, a hacker can easily access the retailer’s machine to get data about several card holders along with their PINs.The truth is that it’s really hard for us as lay users to know how safe the point-of-sale terminal is.

If debit cards with magnetic strips are easy to clone, new credit cards with chips are more difficult to copy – PIN clearly can always be accessed. So they are not necessarily safer.

Having said that, two Firstpost employees who used their debit cards on 2 December at retail outlets managed to do their transactions without a PIN. This is a violation of the RBI mandate, but apparently some banks have still to install card readers that require PINs to be punched. A private banker we spoke to told us that his bank had complied with the RBI guideline but a few other banks still hadn’t. And if the customer used his bank’s card on another bank’s card reader (which has not updated the on software), the transaction would be rejected.

All in all, it’s one big glorious mess, and if you are smart, you would ditch using debit card at retail outlets, instead simply stick to paper money.

But here’s the poser: the purpose of having credit and debit cards is to reduce the use of paper money. But this new requirement is making debit card use relatively unsafe for many.